[nsp] known networks for broadcast ping attacks

• Previous message (by thread): [nsp] known networks for broadcast ping attacks
• Next message (by thread): [nsp] known networks for broadcast ping attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eric Wieling wrote:
> We recently implemented outbound filters for our network.  It's
> rather draconion, but it's effectiveand we've had no complaints yet. 
> We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request)
> with source addresses on our network That's all.
> [...]
> We also block all inbound inbound ICMP 0/0 (echo request) and and a
> bunch of other things.
> 
> --Eric

You should probably allow more ICMP types.  In particular, allowing the ones used by Path MTU discovery will make your life easier.  Trying to track down bizarre sounding connection problems that turn out to be Path MTU discovery failures can make for an interesting day, but it gets old after awhile.  I think there was a discussion here a few weeks ago on ICMP filters, so I would check the archives for details.

-dpm

-- 
 David P. Maynard, Flametree Corporation
 EMail: dpm at flametree.com,  Tel: +1 512 670 4090,  Fax: +1 512 251 8308
--

• Previous message (by thread): [nsp] known networks for broadcast ping attacks
• Next message (by thread): [nsp] known networks for broadcast ping attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]